Can you trust departing employees?
By Tony Anscombe
As we begin to sort out what the post-pandemic business world will look like, we are also facing the Great Resignation.
In the current job market, employees are feeling empowered, and aggressive recruiting is feeding that empowerment. In contrast to the height of the pandemic when business shutdowns were pushing people out of work, today we are seeing more workers making the decision to move on in pursuit of better opportunities or to discover improved work-life balance.
One of the corollary impacts of this phenomena is an almost perfect storm for online lurkers with nefarious intentions.
The pandemic made remote work the norm, which also meant more reliance on cloud infrastructure. Now, a large exodus of workers is adding to the risks businesses face.
Staff turnover is one of the soft spots for cyberattackers, especially when companies have inadequate off-boarding policies for decommissioning a former employee’s files — and their access to the company network.
Cloud-based applications, data stores and other corporate networked resources can be accessed today from virtually any device, anywhere. This has become essential to supporting productivity during the pandemic, but it can also make it easier for employees to circumvent policies — even after they have left the organization — unless the right controls are in place. Effective offboarding processes are an essential part of any security strategy.
The risks are real. According to the Ponemon Institute’s 2020 Cost of Insider Threats Global Report, the cost of insider-related incidents jumped by 31 per cent between 2018 and 2020, costing businesses nearly $11.5 million. It’s more than a coincidence that as many as 43 per cent of organizations don’t even have a policy that forbids staff taking work data with them when they leave, and nearly half of departing employees download, save, send or exfiltrate work-related documents before leaving employment.
This is fertile ground for a data breach. But there are steps all companies and organizations should be taking to protect themselves when an employee is leaving the organization:
Clear communication policy: Roughly 72 per cent of office workers think the data they create at work belongs to them. It is incumbent on employers to ensure all employees understand the limits of their ownership of intellectual property. This policy should be formalized in writing and clearly communicated as part of the onboarding process, with clear warnings about what will happen if the policy is broken.
Continuous monitoring: An unscrupulous employee planning to steal information is likely to begin doing so before they give notice of their pending departure. It is up to the company to put in place monitoring technologies that continuously record and flag suspicious activity — while respecting privacy laws and employee ethical concerns.
Have a policy and process in place: The best way to manage seamless and effective offboarding is to have a clear workflow in place ahead of time. Almost every organization has a formal onboarding process in place, but many forget to do the same for departing staff. An effect offboarding process should include:
- revoking access to company networks and resetting passwords for all apps and services
- revoking building access
- exit interviews to check for suspicious behaviour
- final review of monitoring/logging tools for evidence of unusual activity
- if suspicious activity is suspected, elevate the matter to human resources
- reclaim all physical devices that are the property of the company
- prevent email forwarding and file sharing
- re-assign necessary licenses to other users.
As we move towards the post-pandemic world, companies cannot afford to have valuable IP walking out the door with disenfranchised employees. The financial and reputational damage of an IT breach can be severe.
Offboarding is one small piece of the security puzzle, but it is a critically important one.
Tony Anscombe is the Chief Security Evangelist with ESET Canada, a leading global IT-security company.
Print this page
- Alberta expands public sector anti-harassment training to agencies, boards
- Bell’s Let’s Talk Day to once again put spotlight on mental health